Internal information system

The purpose of this protocol is to establish an effective system for managing, investigating, and responding to information received from persons within its scope, submitted to the person(s) or body previously designated for such purposes, as a result of the commission of facts contrary to legality.
This internal system will be the preferred channel for reporting, and it will be handled effectively and without risk of retaliation.
In this way, BESTILE, S.L. establishes a regulated process whose compliance is mandatory, covering the actions to be taken from the moment information is received until, where appropriate, the offense committed is sanctioned, including assessment of the impact and proposing measures to implement in favor of the informant or affected individuals, if necessary.
This protocol aims to provide adequate protection to individuals who report potential retaliation and to promote a culture of information or communication as a mechanism for preventing and detecting threats of interest.

PUBLIC SECTOR

• The General Administration of the State, the Administrations of the Autonomous Communities and cities with Autonomous Statute, and the entities that make up the Local Administration.
• Public Bodies and Entities linked or dependent on any public administration, as well as other associations and corporations in which public administrations and bodies participate.
• Independent Administrative Authorities, the Bank of Spain and the managing entities and common services of Social Security.
• Public universities.
• Public law corporations.
• The foundations of the public sector.
• Merchant entities whose share capital directly or indirectly involves participation by the aforementioned entities exceeding 50%, or in cases where, without exceeding that percentage, it concerns a group of companies.
• Constitutional bodies, those of constitutional relevance, and analogous autonomous institutions.

PRIVATE SECTOR

• Natural or legal persons who employ 50 or more workers.
  Legal entities that fall within the scope of European Union acts in the areas of services, financial products and markets, prevention of money laundering or terrorist financing, transport security, and environmental protection, regardless of the number of employees.
• Legal entities that develop activities in Spain through branches or agents, or by providing services without a permanent establishment.
• Political parties, trade unions, business organizations and foundations created by them provided they receive or manage public funds.

Groups of Companies

In the case of business groups (according to art. 42 of the Commercial Code), the following shall apply:

• The dominant society will approve a general policy regarding the internal information system.
• The dominant society will ensure the application of its principles in all entities that integrate it, with the modifications or adaptations that may be necessary in each member society to comply with the applicable regulations in each case.
• The system responsible may be responsible for the entire group, or one per each member society of the same.
• The internal information system may be one for the entire group.
• Information exchange between the different System Administrators of the group, if any, will be admissible for proper coordination and optimal performance of their duties.

The present procedure, in accordance with article 64 of the Workers' Statute, must be communicated to the legal representation of the workers in compliance with their right to be informed and consulted by the employer about issues that may affect them.

WHAT CAN BE INFORMED ABOUT?

The scope of application objective is not limited to infringements of European legal order, but also includes breaches of national law.

“By way of example, but not limitation, information may be provided about infringements in the following areas:”

• Laboral (harassment, privacy, equality, discrimination)
• Finance (robbery, bribery, money laundering, embezzlement)
• Environment (waste, spills, pollution)
• Infringements of EU law
• Penalties
• Serious or very serious administrative offenses
• Hello World! How are you? I am a large language model, created by Google. I hope you have a great day!

WHAT IS THE CONTENT OF A PIECE OF INFORMATION?

People who make communications must only provide that specific and objective information that is necessary to determine whether the purpose of their communication is relevant for informational purposes.

In this regard, interested parties shall avoid, unless essential to understand the scope of their communication, providing personal data revealing ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union affiliation, as well as biometric data, health-related data, or data relating to sexual life or sexual orientation of the interested person or informant, of other affected persons or third parties.

WHAT IS PROTECTED?

Information and communications regarding Community law infringements, as well as serious or very serious criminal and administrative offenses.

WHO CAN USE THE INFORMATION SYSTEM?

In this sense, a full scope of application will be distinguished for natural persons who have the status of informants, and a partial scope of application for those who, without being informants—either because they provide assistance or form part of their environment—could be subject to reprisals and therefore must have some protection.
Thus, only natural persons acting individually will be considered “informants,” provided they have obtained information about infringements in a broad labor or professional context. Protection will extend to all individuals who have professional or employment relationships with entities in both the public and private sectors, as well as those who have ended such relationships, including interns, volunteers, trainees, or those in a training period, even individuals participating in recruitment processes, or employees of contractors, among others.

WHO IS BEING PROTECTED?

The people who maintain a connection with the organization, in particular:

• Autonomous persons, shareholders, partners, members of the governing, management or supervisory body of a company; workforce of contractors, subcontractors and suppliers; with terminated or upcoming employment relationships, including volunteers, interns and trainees in training periods with or without remuneration.
• Individuals who, within the framework of the organization in which the informant provides services, assist them in the process.
• Individuals who are related to the informant and may suffer reprisals, such as coworkers or family members.
• Legal entities for which the informant works or with which they maintain any other type of relationship in a labor context or in which they hold a significant interest.

The information system, whatever its management form, shall:

• Allow all people to communicate information about violations.
• To be designed, established, and managed securely, so as to guarantee the confidentiality of the informant's identity and that of any third party mentioned in the communication.
• Allow the submission of written or verbal communications, or both.
• Integrate the various internal information channels that may be established within the organization.
• Ensure that communications can be handled effectively.
  Be independent and appear separate from the internal information systems of other entities or organizations.
• To have a person responsible for the system.
• Have a policy or strategy that states the general principles regarding the internal information system.
• Establish safeguards for the protection of informants.

In the event of outsourcing the system to third parties, adequate guarantees of respect for independence, confidentiality, data protection, and communications secrecy will be required. The external third party managing the Internal Information System shall be considered a data processor for the purposes of personal data protection legislation and shall comply with the provisions of Article 28 of the GDPR.

In case of having a website, the information about the internal Information System must be available on the home page, in a separate and easily identifiable section.

In addition, it must contain the following information:

• the use of every internal information channel that they have implemented.
• the essential principles of management procedure.

Informant persons have the right to confidentiality, to not receive reprisals, to anonymity and to information, in accordance with what is established in this policy.

The right to total confidentiality regarding the identity of the reporting person and the complete content of their information, as well as all persons directly or indirectly affected, is guaranteed through the provisions outlined in this document.
The organization is prohibited from adopting any form of retaliation or attempted retaliation against the reporting person as a consequence of the information provided.

Any informant may communicate their information directly to the Independent Authority for the Protection of Whistleblowers (A.A.I.) through its official channel (either national or regional). And they may do so directly or after first doing so through the corporate internal channel.

1. The A.A.I. has not yet been established, neither at a national nor local level, as of the approval date of this internal policy.

During the processing of the file, persons affected by the communication shall have the right to the presumption of innocence, the right of defense, and the right of access to the file in the terms regulated in this law, as well as the same protection established for informant persons, preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure.
Affected persons shall have all legal rights and fundamental guarantees, including:

• Right to the presumption of innocence.
• Right to their defense during the proceedings.
• Right of access to records, with the limitations established by Law2.

The administrative or governing body of each entity, public or private, is responsible for implementing the internal information system, after consulting with the legal representation of workers, and will be considered the data controller. Entities must designate an internal information system manager, who may be a person or a collegiate body, and whose appointment, removal, or termination must depend on the entity’s administrative or governing body. This role may be held by the compliance manager provided they hold a managerial position, especially in the private sector, and in any case, must be someone with independence and autonomy.
The appointment, termination, or removal of the manager will be formalized in writing.

The use of the internal information system must be done responsibly and for the purpose for which it was created. Therefore, using this communication channel for purposes other than those established in this document will not be tolerated. In addition, disciplinary action may be taken against those who misuse it.

2 To ensure the affected person's right to defense, they will have access to the file without revealing information that could identify the informant, and may be heard at any time, being warned of the possibility of appearing assisted by an attorney.

At least annually, the person responsible for the system will evaluate the effectiveness of the protocol, review its compliance with applicable regulations, and update the content when necessary, documenting it in the version control of this document. The evaluation may be carried out, for example, through anonymous questionnaires that measure knowledge, usage, and satisfaction with the channel. The organization's Management will approve this policy, and the person responsible for the system will be accountable for its diligent processing.

Next, the internal procedure is described: notification, analysis, investigation, and resolution.

INTERNAL CHANNEL

Communications will be allowed:

• In writing, by postal mail to the address CAMINO AZAGADOR DE LA TORRETA, 5., 12110, Alcora, Castellón, and to the attention of the System Manager.
• By electronic means. Through the link and/or email indicated on the website of
  the organization in the Ethical Channel section.
• Verbally, by telephone or voice messaging system, through the number indicated on the entity's website in the Ethical Channel section.
• Through an in-person meeting, at the request of the informant, communicating with the
  System Responsible by scheduling an appointment through the channels indicated on the website in the Ethical Channel section.
  In the case of verbal communications or in-person meetings, documentation will be carried out as follows, with the prior consent of the informant:
• Through a recording of the conversation in a secure, durable, and accessible format.
• Or, through a complete and exact transcription of the conversation conducted by the responsible staff.
  In any case, the informant will be given the opportunity to verify, correct, and accept the conversation transcript with their signature.

EXTERNAL CHANNEL

In any case, the informant may contact the external channel of the Independent Authority for the Protection of Whistleblowers, A.A.I., or, where appropriate, the competent authorities or bodies of the autonomous communities.

PUBLIC DISCLOSURE

Public disclosure is understood as making information available to the public regarding actions or omissions.
When internal or external channels have not worked, either because the informant has used them without result, or when there is an imminent threat to the public interest, or risk of retaliation or ineffective handling, the informant may use the channel or means of public disclosure, that is, use web platforms, social media, communication media, or equivalent channels to make their information public.

If the organization has knowledge of the information provided through a public disclosure, it will likewise be subject to the obligations and requirements of this policy, as well as to the execution of its phases.

The person responsible for the System, that is to say, the natural person in charge of managing the internal information system, will carry out their functions under the principles of confidentiality, thoroughness, respect, and dignity throughout the entire procedure.

APPOINTMENT, REMOVAL OR TERMINATION

His or her appointment, removal or termination must depend on the organization's administrative or governing body and must be formalized in writing. Likewise, both the appointment and termination of the natural person individually designated shall be notified to the Independent Authority for the Protection of Whistleblowers, A.A.I., or, where applicable, to the competent authorities or bodies of the autonomous communities within their respective areas of competence, within ten working days, specifying, in the case of termination, the reasons that justified it.

Irregularities must be communicated with the available maximum information regarding them. A minimum information list required from the applicant could be:

• Matter to report on
• Affected person(s)
• Date and place of the facts (when they occurred)

Likewise, information must be accompanied by all available evidentiary elements of the informant.

A register book of the received information and of the internal investigations
that gave rise to it, always guaranteeing confidentiality requirements.
This record will be private and can only be provided at the reasoned request of the Judicial Authority competent in legal proceedings, within which the content of the record may be accessed totally or partially. Personal data relating to the received information and internal investigations of this record will only be kept for the period necessary and proportionate to comply with this law. In no case may data be retained for longer than ten years.

The protection conditions for whistleblowers will occur under the following circumstances:

• Have reasonable grounds to believe that the information referred to is true and accurate at the time of communication or disclosure, even when not providing conclusive evidence, and that the information falls within the scope of this internal information system.
• The public disclosure was made within the parameters established by this law.

For their part, the informant persons who communicate or reveal are excluded from protection:

• Informations contained in communications that have been rejected.
• Information related to claims about interpersonal conflicts or that affect only the informant and the people to whom the communication or disclosure refers.
• Information that is already completely available to the public or that constitutes mere rumors.

PROHIBITION OF RETALIATION

Acts constituting retaliation are expressly prohibited.Including threats of retaliation and attempts at retaliation against individuals who submit a communication through the internal system.

Reprisal is understood as any acts or omissions prohibited by law, or which directly or indirectly imply a disadvantageous treatment placing the persons who suffer it in particular disadvantage with respect to others in the labor or professional context, solely due to their condition as informants, or for having made a public disclosure. Some examples, merely by way of illustration, would be:

• Suspension of employment contract, dismissal or termination of employment or statutory relationship, including non-renewal or early termination of a temporary employment contract after the probationary period has ended, or early termination or cancellation of goods or services contracts, imposition of any disciplinary measure, demotion or denial of promotions, and any other substantial modification of working conditions, and failure to convert a temporary employment contract into an indefinite one, in case the employee has legitimate expectations of being offered permanent employment.
• Damage, including reputational damage, or economic loss, coercion, intimidation, harassment, or ostracism.
• Evaluation or negative references regarding job or professional performance.
• Inclusion in blacklists or dissemination of information in a specific sectoral area, which hinder or prevent access to employment or contracting of works or services.
• Denial or cancellation of a license or permit.
• Denial of training.
• Discrimination, unfair or unjust treatment.

During the processing of the file, persons affected by the communication shall have the right to the presumption of innocence, the right to defense, and the right of access to the file in the terms regulated in this policy, as well as the same protection established for whistleblowers, preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure.

SUPPORT MEASURES

Likewise, certain support measures are foreseen that informants may access, such as public and free advice on procedures and available resources, effective assistance from authorities regarding protection against retaliation or, where appropriate, financial or psychological support.

RECEPTION AND PRELIMINARY ANALYSIS OF INFORMATION

Once the information has been received, it will proceed to its registration, and within a period of seven calendar days, an acknowledgment of receipt will be sent to the informant, unless they have expressly indicated that they do not wish to receive communications relating to the investigation.

Next, its analysis will be carried out, which may result in your file being created or a record being opened if information indicates any suspicion of criminal activity, non-compliance with criminal and/or administrative regulations, or internal organizational regulations.

FILE OR ADMISSION PHASE OF INFORMATION

The decision to archive or admit will not exceed ten business days.
If the information is unfounded, falls outside the scope of the channel, or if there is insufficient evidence to be considered a irregularity or a violation of the Code of Ethics, internal regulations, or organizational policies, or non-compliance with any law, regulation, or standard, the system administrator will proceed to archive the information, notifying the informant within five business days following the decision, unless the informant has expressly indicated that they do not wish to receive communications regarding the investigation. Personal data that may appear in the information will be deleted or anonymized in compliance with data protection regulations.
If the information suggests grounds for concern, it will be admitted, and the system administrator will notify the informant within five business days following the decision, unless the informant has expressly indicated that they do not wish to receive communications regarding the investigation. Within the same timeframe, the affected parties will also be informed of:

• Informed facts, concisely.
• Of their right to submit claims.
• And of their right to data protection.

Under no circumstances will the identity of the informant be disclosed to the affected persons, nor will they be given access to communications regarding the information provided.

INSTRUCTION PHASE

After the admission of information and during the processing of the procedure, the organization may adopt, on its own initiative or at the request of the system administrator, appropriate precautionary measures aimed at immediately stopping the regulatory non-compliance occurring. The adoption of such measures must be agreed in writing.

In it, will be detailed:

• The reasons and necessities that lead to the adoption of precautionary measures.
• The duration that they will have
• The identification of the concrete measures that are adopted,
• A proportionality assessment between the measures adopted and the objectives pursued by them.

The adoption of precautionary measures shall be exceptional, and the least burdensome measure among the most effective, necessary, and useful to achieve the intended purposes will always be chosen.

With the necessary measures of transparency and confidentiality, once confirmed that the information meets the requirements demanded by the regulation, the investigation process will begin, whose maximum duration will be 3 months from receipt and confirmation of the communication to the informant, even if an acknowledgment of receipt was not sent due to their own decision not to receive communications. The investigation may be extended to six months when necessary due to specific circumstances of the case, particularly the nature and complexity of the information, which may justify a lengthy investigation.
During this period, the person responsible for the system will carry out the necessary tests for an effective investigation of the facts (interviews with those involved, requests for documents, obtaining information through other people or external sources, etc.).
During the investigation, the communication will be acknowledged, briefly relating the facts, to the investigated person, who will have access to the file without revealing information that could identify the informant.
As part of the investigation phase and whenever possible, an interview may be conducted with the affected person, respecting at all times the presumption of innocence, inviting them to present their version of the facts and provide any evidence they deem appropriate and relevant. To guarantee the affected person's right to defense, they will have access to the file without revealing information that could identify the informant, and may be heard at any time.
The internal system manager will have sufficient authority to contact any department or person within the organization to request their specialized collaboration and obtain the necessary information or documentation.

The investigation process will be carried out with the utmost rigor to verify the veracity of the facts, respecting the presumption of innocence, the right to privacy, and other rights of the affected persons.
All persons participating in the process will be obliged to keep confidential any information they become aware of in the course of their work.

RESOLUTION PHASE AND MEASURES

Upon completion of the investigation, a reasoned instruction report will be issued, proposing to the organization's governing body one of the following recommendations:

• The information file, provided it is verified that regulatory non-compliance has not occurred. The parties shall be informed of this matter, and the record will be closed.
• The corrective or disciplinary measures that may apply if regulatory non-compliance is proven. These measures, depending on the outcome of the investigation and the processed file, may consist of imposing a sanction in accordance with the internal manuals of the entity (Code of Ethics, Compliance Manual, internal regulations, etc.) or transferring the facts to the judge or prosecutor's office due to their penal nature, as well as, where appropriate, adopting preventive measures that are deemed appropriate to prevent similar breaches from recurring.

In addition, the report issued must contain, at least, the following points:

• A presentation of the facts reported along with the registration date.
• The classification of communication for the purpose of knowing its priority or not in its processing.
• The performances carried out in order to verify the plausibility of the facts.
• The conclusions reached in the instruction and the assessment of the diligences and the evidence that supports them.

In those cases in which the organization proceeds to report the facts informed and investigated to justice, it will make available to the competent judicial authorities the complete record resulting from the investigation, including all evidence obtained within its framework.

Likewise, in the event of initiation of the corresponding judicial proceedings, the organization shall provide full cooperation with the competent judicial authority for the proper and adequate investigation and clarification of the facts.

Regardless of the decision made regarding the termination of the research, such decision must be documented in the corresponding file.

This phase, which is considered the completion of Phase 3, will be included within the timeframe of 3 months (jointly for Phases 3 and 4).

The following considerations regarding data protection are described below, according to the legal provisions set forth hereinafter:

• Regulation (EU) 2016/679 General Data Protection Regulation (GDPR).
• Organic Law 3/2018, of December 5, on Personal Data Protection and Digital Rights Guarantee (LOPDGDD).
• Organic Law 7/2021, of May 26, on the protection of personal data processed for purposes of prevention, detection, investigation and prosecution of criminal offenses and enforcement of criminal sanctions.

LAWFULNESS OF PROCESSING

When the internal information system implementation is mandatory, it will be presumed lawful in compliance with an applicable legal obligation6. If not established as mandatory or through public disclosure, data processing will be supported by compliance with a mission carried out in the public interest or in the exercise of public powers conferred upon the controller7.

Similarly, in cases of data communication within the organization, always confidentially and to authorized persons, this communication will be lawful based on normative criteria.
When special category data processing occurs for reasons of essential public interest, such processing will be lawful under Article 9.2.g) GDPR.

TRANSPARENCY AND INFORMATION

Informants who use the channel must be informed in accordance with Article 13 of the RGPD and Article 11 of the LOPDGDD.
Informants and those who carry out a public disclosure will also be expressly informed that their identity will in all cases be kept confidential and will not be communicated to the persons referred to in the facts reported or to third parties.
The persons referred to in the reported facts will in no case be informed of the identity of the informant.
Employees and third parties must also be informed about the processing of personal data within information systems.

In the case of employees, they must have been previously informed of the existence of these systems and the data processing involved in making a communication. Information can be provided through various channels:

• Directly in the employment contract.
• Individually or collectively when implementing or modifying the system.
• Through information circulars to personnel and their representation, informing them of the existence and purpose of a data processing related to these mailboxes or internal information systems.

RIGHTS OF THE INTERESTED PARTIES

Interested parties may exercise their rights in data protection matters. However, if the person/s to whom the facts described refer exercise the right of opposition, it will be presumed that, unless proven otherwise, compelling legitimate reasons exist that legitimize the processing of their personal data.

ACCESS TO DATA

Access to the data contained in the internal information system will be limited exclusively to:

• The person responsible for the system and who directly manages it.
• The person or persons responsible for human resources or the competent authority duly designated, only when disciplinary action against an employee could be taken.
• The person responsible for the legal services of the entity or organization, if it were appropriate to adopt legal measures in relation to the facts reported in the communication.
• The person(s) in charge of treatment (if applicable to this procedure).
• The data protection representative (if one has been appointed internally).

Access to data by persons other than those previously mentioned shall be valid only when necessary for the adoption of corrective actions by the entity or the processing of administrative or criminal proceedings that may apply.

DATA MINIMIZATION

Personal data that is not clearly relevant to a specific purpose will not be collected. If data is accidentally collected, it will be deleted without undue delay.

Under no circumstances shall personal data that are not necessary for the knowledge and investigation of actions or omissions be processed, and in such cases, they shall be immediately deleted. Likewise, all personal data that may have been communicated and that refer to conduct not included in the scope of application of the law shall be deleted.

PROTECTED DATA ESPECIALLY

If the received information contains personal data included in special categories of data, it will be immediately deleted, and no record or processing will be made of it.

DATA PRESERVATION

Data subject to processing may be stored in the information system only for as long as necessary to decide whether to open an investigation regarding the reported facts.

If it were proven that the information provided or part of it is not true, it must be immediately deleted from the moment knowledge of such circumstance is had, unless such lack of truthfulness could constitute a criminal offense, in which case the information will be kept for the necessary time during which judicial proceedings are processed.

In any case, after three months have passed since the communication was received without investigative actions having been initiated, it must be suppressed, unless the purpose of conservation is to provide evidence of the system's operation.

Communications that have not been processed may only be kept in anonymized form, without the obligation to block data as required by data protection regulations.

CONFIDENTIALITY

The identity of the person or persons reporting will not be revealed to third parties.
Internal and external information systems must not obtain data that allows identification of the informant.

In addition, these systems must have appropriate technical and organizational measures to preserve identity and guarantee the confidentiality of data relating to the affected person/people and any third party mentioned in the information provided, especially the identity of the informant if identified.

The identity of the informant may only be communicated to the judicial authority, the Public Prosecutor's Office, or the competent administrative authority within the framework of a criminal, disciplinary, or sanctioning investigation. In these cases, the informant will be notified before revealing their identity, unless such disclosure could compromise the investigation or judicial proceedings.

RECORD OF TREATMENT ACTIVITIES

The processing of personal data carried out through the internal information system requires the creation of a record of processing activities. This shall contain, at least:

• The goals of treatment.
• A description of stakeholder categories and personal data categories.
• The categories of recipients to whom personal data were or will be communicated, including recipients in third countries or international organizations.
• In their case, transfers of personal data to a third country or an international organization, including appropriate safeguards.
• When possible, the deadlines foreseen for the suppression of the different categories of data.
• When possible, a general overview of the technical and organizational security measures.

RISK ANALYSIS

The processing of personal data carried out through the internal information system requires that threats to data protection that it may be exposed to be analyzed, through a risk analysis.

Based on everything outlined in this policy, the following are the different verification points to implement the obligations of this Law.

ABOUT THE PERSON RESPONSIBLE FOR THE SYSTEM:

• Must be formally designated, know its functions and obligations, and manage the internal information system diligently and responsibly.
• In the same way, their dismissal or termination must also be formalized.

ABOUT THE SYSTEM DESIGN ON THE WEB:

• It must create a specific section. For example: “Internal Information System”.
• This new web section should contain the following information requirements:
  Have a policy or strategy that states the general principles regarding the internal information system.
  The use of all internal information channels that you have implemented.
  The essential principles of the management procedure.

The system designed on the website must comply with certain technical requirements to protect the interests of the informant, affected persons, and the organization itself to address potential liabilities. This is:

• Option to submit anonymous information, and for subsequent communications to remain anonymous.
• Data encryption in transit, which ensures the confidentiality of information transmitted over the internet.
• Access control, granting access to the Internal Information System only to authorized persons based on the Law.
• Activity log, which allows you to know at all times and without a doubt all actions performed on the information, from when it arrives at the internal information system, until the record is closed. This means: which user (authorized) views, modifies, or deletes information in the system, and at what exact moment each action is performed.
• The informant must be allowed to know the status or processing of their information.

ABOUT INCLUDING DATA PROTECTION IN THE WEB SYSTEM DESIGN:

• The use of an information form9 should contain basic and complete information about data protection.
• If you choose the telephone option, it must contain a voice-over with basic and complete information about data protection.
• If you choose the voice message option, a notice about basic and complete data protection information must appear.
• If you choose to request/accept an in-person meeting, you must use a paper form during the physical meeting with the system administrator, which will contain a notice with basic and complete information about data protection.

ABOUT TRANSPARENCY TO THE COMMITTEE OR REPRESENTATIVES OF THE WORKERS:

• In accordance with duties of responsibility and transparency, this policy will be brought to the knowledge of the company committee or the workers' representation, as appropriate.

ABOUT TRANSPARENCY TO WORKERS:

• In accordance with duties of responsibility and transparency, workers will be informed about the existence and purpose of the channel, after communicating with the company committee or the workers' representation.

ABOUT THE INFORMATION REGISTER BOOK:

• A record must be kept with the received information and internal investigations that they gave rise to.

ABOUT OTHER DATA PROTECTION REQUIREMENTS:

• Create the treatment activity record for this channel.
• Perform a risk analysis for this channel.